Migrate dependency management to pnpm#5085
Draft
andrewiggins wants to merge 1 commit into
Draft
Conversation
Replace the root and demo npm lockfiles with a single committed pnpm-lock.yaml and add pnpm-workspace.yaml covering the root package, subpackages, test/ts, and demo. Pin packageManager to pnpm@11.1.0 and move the Volta Node pin to 24.15.0 so the repository runs on a Node version supported by pnpm 11. Enable pnpm supply-chain hardening in workspace config: strict minimum release age, no-downgrade trust policy, blocked exotic transitive dependencies, strict dependency builds, engine strictness, and an explicit install-script allowBuilds policy. Keep trust-policy exceptions narrow and version-specific for chokidar@4.0.3, preact-render-to-string@6.5.0, reselect@5.1.1, and semver@6.3.1 instead of using a broad age-based bypass. Allow only esbuild build scripts and explicitly deny optional/native watcher or compatibility scripts for @parcel/watcher, fsevents, and styled-components. Update CI and developer workflows for pnpm: use pnpm/action-setup@v6, pnpm cache keys, frozen installs, pnpm script invocations, pnpm exec for the Husky hook, and pnpm contributor docs. Declare nano-staged as a dev dependency because pnpm exec requires hook tools to be local instead of relying on npx to fetch them. Keep npm pack and npm publish behavior intact for the package release path. Tighten dependency declarations exposed by pnpm's isolated linker: add demo's explicit sass-embedded dependency for SCSS builds, pin Vite resolutions that were previously coming from npm lockfiles, pin the direct undici dev dependency, and update @actions/github and @actions/glob dev tooling to current versions to avoid older trust-downgrade transitive resolution. Verification run: pnpm install --frozen-lockfile; pnpm ignored-builds; pnpm run build; pnpm run lint; pnpm run test:unit; pnpm --dir demo run build; npm pack --ignore-scripts --dry-run --json. Also ran pnpm run format:check, which still fails on existing repository-wide formatting and CRLF diagnostics unrelated to this migration.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security decisions
Verification
Note: pnpm run format:check still fails on existing repo-wide formatting and CRLF diagnostics unrelated to this migration.